Hi everyone,
I'm trying to setup a system with the cryptfs2 and tpm2-tooling which is currently working but I'd like to change the DictionaryAttackParamater recovery time.
I've tried the following (scenario 1)
Reset TPM from the bios
Tmp2_takeownership -T "device" -L "1234567890"
Tpm2_dictionarylockout -s -n 32 -l 86400 -t 5 -p "1234567890"
I get a warning: the command may require writing of NV and NV is not current accessible.
If I check the settings with:
Tpm2_getcap -c properties-variable
I notice they are not changed
Reset TPM from the bios
Tpm2_dictionarylockout -s -n 32 -l 86400 -t 5 -p "1234567890"
Tpm2_getcap -c properties-variable
Values are written
Tmp2_takeownership -T "device" -L "1234567890"
Tpm2_getcap -c properties-variable
Settings are reset to default
What would I need to do to get the first scenario to work? I know I'm combining tools from 2.x with master. But that's because the cryptfs tooling is dependent on 2.x.
How can I unlock the NV, I've found tpm2_release but I've got no clue what to release.
Kind Regards,
Christian Litjes
________________________________
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.

In the emulator, PCRs 0-16 and 23 default to 00 when the emulator is started. But PCRs 17-22 default to ff. Why is that? Why not have them all be 00 or all be ff? (Actually, I notice PCR0 is 03 upon startup; why is that?)
Peter

Hi all,
I just wanted to announce that we pushed a new crypto engine for OpenSSL using the tpm2-tss software stack.
It is licensed under the BSD 3-clause license.
It currently includes RSA sign, RSA decrypt and ECDSA with TPM generated keys.
It uses ESAPI/ESYS (so it's a good usage example) and thus relies on the 2.0 series of tpm2-tss.
I'd like to see some testing and bug reports if you don't mind.
You can find the project here: https://github.com/tpm2-software/tpm2-tss-engine
Big thanks to Infineon for sponsoring this work !
Best regards,
Andreas Fuchs

Hello,
TL;DR:
Is there any AIK Enrollment / POP examples available using tpm2-tools
(or other open source tools, code bases)?
Long version:
I had some success with tpm2-tools based attestation, e.g. generating
AIK, extracting EKpub and EKCert from TPM, performing the tpm2
quotation, etc.
However, my understanding of the relevant spec's is that for TPM2 User
Devices (and many other devices), the EK is limited to performing the
Enrolment Processes (Proof of Possession). So to complete a meaningful
Remote Attestation flow, there is a need to get AIKCert externally
using AIK Enrollment Process[1] against an Attestation CA (formerly
known as Privacy CA).
I fail to find public examples (tools, example code, etc) of the
enrolment step. Most of what I find when googling, for example
strongswan's TPM pages, appears to skip the AIK Enrollment Process /
POP and just issue the the certificate without any proof of
possession.
Any links or insights would be appreciated =)
[1]. Section 2.3.
https://trustedcomputinggroup.org/wp-content/uploads/IWG_CMC_Profile_Cert...

Previously, tpm2_loadexternal was quite limited. It could only load a public/private file in the TSS format (aka generated via readpublic or create).
Recently, on master, I have been working on a series that allows loading both the public and private portions of an object from PEM files.
This way, folks can seamlessly use openssl objects in the TPM. The man pages have been updated, to show full examples, as well as
tests for this.
Tpm2_loadexternal supports:
1. AES keys (raw key byte files)
2. RSA keys
3. ECC keys
We still need support for XOR and HMAC, but that should follow the AES key code closely. We dropped support for tpm2_loadexternal for TSS format private objects,
as no command response returns such a structure from the TPM.
Remember, that loadexternal loaded objects have restrictions on their use, since they are *NOT* tpm managed objects. This is the major
Difference between tpm2_loadexternal and tpm2_import. ECC support has not been added to tpm2_import at this time.

Hello,
actually main problem is we interfaced slb 9670(tpm-2.0) with 16 bit msp430
controller which does not support linux kernel or any OS.
now our task is to store a 100 byes of data in NV memory, without any
authorisation technique, as simple as possible.
please guide me in that way.
slb 9670 is interfaced with msp430 controller through SPI protocol.
I able to read device id , version id of slb9670 , so spi communication is
working fine with our controller .
what is packet format to be send with our data , i am not able to
understand the TCG documents .
theoretically iam able to understand we have to do nvdefinespace , nvwrite
,nvread .. internaly what is the format i have to be send not able to
understand
can you please guide me , or share any code snippet .
sorry if i trouble you or any irrelevant questions.
Regards,
Manoj,
mail : abbarajumanojsai(a)gmail.com
+91-9063249308